- (Exam Topic 2)
Which of the following is not a best practice for carrying out a security audit? Please select:

1. A. Conduct an audit on a yearly basis
2. B. Conduct an audit if application instances have been added to your account
3. C. Conduct an audit if you ever suspect that an unauthorized person might have accessed your account
4. D. Whenever there are changes in your organization

Correct Answer: A
A year's time is generally too long a gap for conducting security audits The AWS Documentation mentions the following
You should audit your security configuration in the following situations: On a periodic basis.
If there are changes in your organization, such as people leaving.
If you have stopped using one or more individual AWS services. This is important for removing permissions that users in your account no longer need.
If you've added or removed software in your accounts, such as applications on Amazon EC2 instances, AWS OpsWor stacks, AWS CloudFormation templates, etc.
If you ever suspect that an unauthorized person might have accessed your account.
Option B, C and D are all the right ways and recommended best practices when it comes to conducting audits For more information on Security Audit guideline, please visit the below URL:
https://docs.aws.amazon.com/eeneral/latest/gr/aws-security-audit-euide.html
The correct answer is: Conduct an audit on a yearly basis Submit your Feedback/Queries to our Experts

- (Exam Topic 1)
A company has the software development teams that are creating applications that store sensitive data in Amazon S3 Each team's data must always be separate. The company's security team must design a data encryption strategy for both teams that provides the ability to audit key usage. The solution must also minimize operational overhead
what should me security team recommend?

1. A. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) AWS managed CMKs Limit the key process to allow encryption and decryption of the CMKs to their respective teams onl
2. B. Force the teams to use encryption context to encrypt and decrypt
3. C. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) AWS managed CMK Limit the key policy to allow encryption and decryption of the CMK onl
4. D. Do not allow the teams to use encryption context to encrypt and decrypt
5. E. Tell the application teams to use two different S3 buckets with separate AWS Key Management Service (AWS KMS) customer managed CMKs Limit the key policies to allow encryption and decryption of the CMKs to their respective teams only Force the teams to use encryption context to encrypt and decrypt
6. F. Tell the application teams to use two different S3 buckets with a single AWS Key Management Service (AWS KMS) customer managed CMK Limit the key policy to allow encryption and decryption of the CMK only Do not allow the teams to use encryption context to encrypt and decrypt

Correct Answer: A

- (Exam Topic 2)
Which of the following is the most efficient way to automate the encryption of AWS CloudTrail logs using a Customer Master Key (CMK) in AWS KMS?

1. A. Use the KMS direct encrypt function on the log data every time a CloudTrail log is generated.
2. B. Use the default Amazon S3 server-side encryption with S3-managed keys to encrypt and decrypt the CloudTrail logs.
3. C. Configure CloudTrail to use server-side encryption using KMS-managed keys to encrypt and decrypt CloudTrail logs.
4. D. Use encrypted API endpoints so that all AWS API calls generate encrypted CloudTrail log entries using the TLS certificate from the encrypted API call.

Correct Answer: C
https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html

- (Exam Topic 2)
An application has been written that publishes custom metrics to Amazon CloudWatch. Recently, IAM changes have been made on the account and the metrics are no longer being reported.
Which of the following is the LEAST permissive solution that will allow the metrics to be delivered?

1. A. Add a statement to the IAM policy used by the application to allow logs:putLogEvents and logs:createLogStream
2. B. Modify the IAM role used by the application by adding the CloudWatchFullAccess managed policy.
3. C. Add a statement to the IAM policy used by the application to allow cloudwatch:putMetricData.
4. D. Add a trust relationship to the IAM role used by the application for cloudwatch.amazonaws.com.

Correct Answer: C
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/permissions-reference-cw.html

- (Exam Topic 2)
An organization is using AWS CloudTrail, Amazon CloudWatch Logs, and Amazon CloudWatch to send alerts when new access keys are created. However, the alerts are no longer appearing in the Security Operations mail box.
Which of the following actions would resolve this issue?

1. A. In CloudTrail, verify that the trail logging bucket has a log prefix configured.
2. B. In Amazon SNS, determine whether the “Account spend limit” has been reached for this alert.
3. C. In SNS, ensure that the subscription used by these alerts has not been deleted.
4. D. In CloudWatch, verify that the alarm threshold “consecutive periods” value is equal to, or greater than 1.

Correct Answer: C